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Chief Judge Ricardo S. Martinez 


UNITED STATES DISTRICT COURT FOR THE 
WESTERN DISTRICT OF WASHINGTON 
AT SEATTLE 


UNITED STATES OF AMERICA, 
Plaintiff 

v. 

DENYS IARMAK, 

Defendant. 


NO. CR19-257RSM 
MJ19-564 

STIPULATED MOTION TO REDACT 
COMPLAINT 

(FILED UNDER SEAL) 

Noting Date: May 20, 2020 


The parties, by and through their respective counsel, file this Stipulated Motion to 
Redact Complaint, and present the proposed order attached herewith. As discussed 
below, the parties request that the Court issue an order directing the Clerk of the Court to 
lodge the redacted version of the Complaint attached as Exhibit 1 and keep the original 
Complaint under seal. 

On November 20, 2019, a complaint was filed in MJ19-564 charging Defendant 
Iarmak with one Count of Conspiracy to Commit Computer Fraud and Abuse and one 
count of Access Device Fraud. On December 12, 2019, Defendant Iarmak was charged 
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with a more expansive set of crimes in a 26-count indictment in CR19-257RSM. It is 
anticipated that Defendant Iarmak will appear in this District on May 22, 2020. 

The parties request the proposed redactions to protect certain aspects of the 
government’s ongoing investigation of the cybercriminal group known as FIN7. Among 
other things, the parties seek to redact information about an individual whom is under 
investigation and with whom Defendant Iarmak has communicated in the past year. 
DATED this 20th day of May, 2020. 

Respectfully submitted, 

TESSA M. GORMAN 
First Assistant United States Attorney 
(Acting Under Authority Conferred by 28 
U.S.C.§515) 

s/Francis Frame-Nakamura 

FRANCIS FRANZE-NAKAMURA 
STEVEN MASADA 
Assistant United States Attorneys 
United States Attorney’s Office 
700 Stewart Street, Suite 5220 
Seattle, Washington 98101-1271 
Telephone: 206.553.4402 
Fax: 206.553.4440 

Email: francis.franze-nakamura@usdoj.gov 

ANTHONY TEELUCKSINGH 
Trial Attorney 

Computer Crime and Intellectual Property 
Section, U.S. Department of Justice 

Per authorization by email: 

s/ Michael Nance _ 

MICHAEL NANCE, Local Counsel 
CHARLES KASER, pro hac vice 
YELENA SHAROVA, pro hac vice 
Attorneys for Defendant Iarmak 
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CERTIFICATE OF SERVICE 

I hereby certify that on May 20, 2020,1 filed the foregoing with the Clerk of the 
Court and provided a copy by email to the attorney(s) of record for the defendant(s). 


s/ Francis Frame-Nakamura 

FRANCIS FRANZE-NAKAMURA 
Assistant United States Attorney 
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CERTIFED TRUE COPY 
ATTEST: -WILLIAM M. McCOOL 
Clerk, U.S. District Court 
Western District of Washington 

Bv K )cu5i— 

U Ileputy Clerk 

UNITED STATES DISTRICT COURT FOR THE 
WESTERN DISTRICT OF WASHINGTON 
AT SEATTLE 


UNITED STATES OF AMERICA, 
Plaintiff 
v. 

DENYS IARMAK, 
aka “Denys Olegovich Iarmak,” 
aka “Denis Jarmak,” 
aka “Denys Olehovych Yarmak,” 
aka “gaktus,” 
aka “gaktusOl,” 
aka “denis.jarmak,” 


no. 

COMPLAINT 

Title 18, United States Code, Sections 371, 
1029(a)(3), (b)(1), (c)(1)(A), and 2. 

Filed Under Seal 


19 

20 
21 
22 

23 

24 

25 

26 

27 

28 


Defendant. 

BEFORE the Honorable Michelle L. Peterson, United States Magistrate Judge, 
United States Courthouse, Seattle, Washington. 

The undersigned complainant being duly sworn states: 

COUNT 1 

(Conspiracy to Commit Computer Fraud and Abuse) 

I. OFFENSE 

1. Beginning at a time unknown, but no later than September 2015, and 
continuing through on or about November 20, 2019, within the Western District of 
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1 Washington, and elsewhere, the defendant, DENYS IARMAK, and others known and 

2 unknown, did knowingly and willfully combine, conspire, confederate and agree together 

3 to commit offenses against the United States, to wit: 


to knowingly and with intent to defraud, access a protected computer 


a. 


5 without authorization and exceed authorized access to a protected computer, and by 

6 means of such conduct further the intended fraud and obtain anything of value exceeding 

7 $5,000.00 in any 1-year period, in violation of Title 18, United States Code, Sections 


1030(a)(4) and (c)(3)(A); and 

b. to knowingly cause the transmission of a program, information, 


10 code, and command, and as a result of such conduct, intentionally cause damage without 

11 authorization to a protected computer, and cause loss to one or more persons during a 1- 

12 year period aggregating at least $5,000.00 in value and damage affecting 10 or more 

13 protected computers during a 1-year period, in violation of Title 18, United States Code, 

14 | Sections 1030(a)(5)(A) and (c)(4)(B)(i). 

15 II. OBJECTIVES OF THE CONSPIRACY 

16 2 . The objectives of the conspiracy included hacking into protected computer 

17 networks using malware designed to provide the conspirators with unauthorized access 

18 to, and control of, victim computer systems. The objectives of the conspiracy further 

19 included conducting surveillance of victim computer networks and installing additional 

20 malware on the victim computer networks for the purposes of establishing persistence, 

21 and stealing payment card track data, financial information, and proprietary, private, and 

22 non-public information, with the intention of using and selling such stolen items, either 

23 I directly or indirectly, for financial gain. The objectives of the conspiracy further 

24 included installing malware that would integrate victim computers into a botnet that 

25 allowed the conspiracy to control, alter, and damage compromised computers. 

26 I in. MANNER AND MEANS OF THE CONSPIRACY 

27 3. The manner and means used to accomplish the conspiracy included the 

28 following: 
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a. The conspiracy developed and employed various malware designed 
to infiltrate, compromise, and gain control of the computer systems of victim companies 
operating in the United States and elsewhere, including within the Western District of 
Washington. The conspiracy established and operated an infrastructure of servers, 
located in various countries, through which members coordinated activity to further the 
scheme. This infrastructure included, but was not limited to, the use of command and 
control servers, accessed through custom botnet control panels, that communicated with 
md controlled compromised computer systems of victim companies. 

b. . The conspiracy targeted victims in the Western District of 
Washington, and elsewhere, using, among other things, phishing techniques to distribute 
nalware designed to gain unauthorized access to, take control of, and exfiltrate data from 
he computer systems of various businesses. The conspiracy typically initiated its attacks 
>y delivering, directly and through intermediaries, a phishing email with an attached 
nalicious file, using wires in interstate and foreign commerce, to an employee of the 
argeted victim company. The attached malicious file was embedded malware. The 
ihishing email, through false representations and pretenses, fraudulently induced the 
ecipient to open the attachment and click on the file to unwittingly activate the malware. 

c. If the recipient activated the malware, the computer on which it was 
>pened would become infected and connect to one or more command and control servers 
ontrolled by conspiracy to report details of the newly infected computer and download 
dditional malware. The command and control infrastructure relied upon various servers 
a multiple countries, including, but not limited to, the United States. 

d. The conspiracy typically would install additional malware to 
stablish remote control of the victim computer. Once a victim’s computer was 
ompromised, the conspiracy would incorporate the compromised machine or “bot” into 
botnet. 

e. The conspiracy used its access to the victim’s computer network and 
iformation gleaned from surveillance of the victim’s computer systems to install 
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additional malware designed to target and extract particular information and property of 
value, including payment card data and proprietary and non-public information. 

f. The conspiracy frequently targeted payment cards used at the victim 
companies by customers making legitimate point-of-sale (POS) purchases. In those 
cases, the conspiracy configured malware to extract, copy, and compile the payment card 
data, and then to transmit the data from the victim computer systems to servers controlled 
by conspiracy. 

g. The conspiracy then monetized that stolen payment card data by, 
among other things, offering the payment card data for sale on various websites dedicated 
to such carding activity. 


IV. OVERT ACTS 

4. In furtherance of the conspiracy, and to achieve the objects thereof, the 
defendants, and others known and unknown, did commit and cause to be committed, the 
following overt acts, among others, in the Western District of Washington and elsewhere: 

a. On or about August 8, 2016, the conspiracy sent multiple phishing 
emails, containing a file embedded with malware, to an employee of the Emerald Queen 
Hotel and Casino (EQC), a federally recognized Native American Tribe with locations in 
Pierce County, within the Western District of Washington. 

b. Between on or about March 24, 2017, and April 18, 2017, the 
conspiracy harvested payment card data from point-of-sale devices from Chipotle 
Mexican Grill, including dozens of locations in the Western District of Washington. 

. c. On or about April 28, 2017, DENYS IARMAK communicated with 
mother member of the conspiracy in furtherance of the hacking activity, including 
liscussing the creation and use of phishing emails. 

d. On or about on July 24, 2017, DENYS IARMAK and another 
nember of the conspiracy discussed information stolen from a victim company. 
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e. On or about October 27, 2017, DENYS LAJRMAK and another 
member of the conspiracy discussed information about the compromised computer 
system of a victim company. 

All in violation of Title 18, United States Code, Section 371. 

COUNT 2 

(Access Device Fraud) 

5. The allegations set forth in above paragraphs are re-alleged and 
incorporated as if fully set forth herein. 

6. Beginning at a time unknown, and continuing through on or about 
November 20, 2019, within the Western District of Washington, and elsewhere, the 
defendant, DENYS IARMAK, and others known and unknown, knowingly and with 
intent to defraud, possessed fifteen or more counterfeit and unauthorized access devices, 
namely, payment card data, account numbers, and other means of account access that can 
be used, alone and in conjunction with another access device, to obtain money, goods, 
services, and any other thing of value, and that can be used to initiate a transfer of funds, 
and aided and abetted such conduct; said activity affecting interstate and foreign 
commerce.. 

All in violation of Title 18, United States Code, Sections 1029(a)(3), 1029(b)(1), 
1029(c)(1)(A), and 2. 

And the complainant states that this Complaint is based on the following 
information: 

I, Briana L. Neumiller, being first duly sworn on oath, depose and say: 

I. INTRODUCTION AND AGENT BACKGROUND 

7. I am a Special Agent with the Federal Bureau of Investigation (FBI), and 
have been since 2009. I am assigned to the Cyber squad where I investigate computer 
intrusions. My experience as an FBI Agent includes the investigation of cases involving 
the use of computers and the Internet to commit crimes. I have received training and 
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gained experience in interviewing and interrogation techniques, arrest procedures, search 
warrant applications, the execution of searches and seizures, Cybercrimes, computer 
evidence identification, computer evidence seizure and processing, and various other 
criminal laws and procedures, I have participated personally in the execution of search 
warrants involving the search and seizure of computer equipment. 

8 . As set forth herein, I submit that probable cause exists to establish that the 
defendant, DENYS IARMAK, knowingly and intentionally participated in a scheme to 
hack the protected computer networks of various victim entities and steal payment card 
data and information, which constitute unauthorized “access' devices,” in violation of 
federal law, to include Conspiracy to Commit Computer Fraud and Abuse, in violation of 
Title 18, United States Code, Section 371, and Access Device Fraud, in violation of Title 
18, United States Code, Sections 1029(a)(3), 1029(b)(1), 1029(c)(1)(A), and 2. 
Accordingly, I seek the issuance of an arrest warrant for IARMAK. 

9. The facts set forth in this Affidavit are based on my own personal 
knowledge; knowledge obtained from other individuals during my participation in this 
investigation, including other law enforcement personnel and computer scientists; review 
of documents and records related to this investigation; communications with others who 
have personal knowledge of the events and circumstances described herein; and 
information gained through my training and experience. Because this Affidavit is 
submitted for the limited purpose, it does not set forth each and every fact that I or others 
rave learned during the course of this investigation. 

II. SUMMARY OF PROBABLE CAUSE 

A. Background 

10. U.S. authorities are investigating a transnational cybercriminal group 
engaged in a hacking and fraud scheme. Since at least September 2015, and continuing 
to the present, the group has attacked the protected computer networks of hundreds of 
businesses with the goal of infecting computer systems with malicious software (or, 
“malware”) that allows the group to access and steal non-public information, such as 
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customer payment card data. Based on the initial estimates, this hacking scheme has 
stolen tens of millions of payment card numbers and has caused over 100 million dollars 
(U.S.) in losses to U.S. financial institutions and companies. 

11. The hacking group generally, but not exclusively, targeted computer 
systems of businesses, primarily in the restaurant, gaming, and hospitality industries, 
including numerous confirmed victims located in the Western District of Washington. 

For instance, confirmed victims of the hacking group who have publically acknowledged 
being attacked include numerous restaurant chains, such as Chipotle Mexican Grill, 
including multiple store locations within the Western Washington. For example, between 
approximately March 24, 2017, and April 18, 2017, the group, having successfully 
breached the protected systems of numerous Chipotle restaurant locations, harvested 
payment card data from point-of-sale devices, including dozens of locations in the 
Western District of Washington. 

12. The group also targeted the Emerald Queen Hotel and Casino (EQC), a 
hotel and casino owned and operated by a federally recognized Native American Tribe 
with locations in Pierce County, within the Western District of Washington. For 
instance, on or about August 8, 2016, the group, either directly or through intermediaries, 
sent multiple phishing emails, containing a file embedded with malware, to an employee 
of EQC. 

13. Credit cards compromised through the group 5 s prolific hacking activity 
affected accounts held at dozens of federally insured financial institutions and credit 
unions, including, among others, BECU, a credit union headquartered in the Western 
District of Washington. For example, on or about March 10, 2017, stolen card data 
related to accounts held at BECU, compromised through the computer network intrusion 
of a, confirmed victim of this hacking group, was used to make unauthorized purchases at 
a merchant in Puyallup, Washington. 
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1 The Hacking Group’s Attack Methodology 

2 14. The hacking group generally has targeted restaurants, hotels, and other 

3 businesses that engage in high volumes of point-of-sale payment card transactions. 

4 Generally, the hacking group attacks victim companies with phishing * 1 emails that have 

5 attachments that either contain malware or link to malware. The phishing campaign will 

6 often involve a call to the recipient of a phishing email and the use of social engineering 

7 techniques to encourage the recipient to open the attachment and activate the group’s 

8 malware. 

9 15. For example, as part of a phishing campaign, a member or affiliate of the 

10 hacking group may call a hotel’s customer service representative under the pretense of 

11 being a customer who wants to make a reservation. The caller will claim falsely that the 

12 details of the reservation request can be found in a file attached to an email previously 

13 sent by the caller. If the employee opens the attachment and activates the embedded 

14 malware, the computer on which it was opened will become infected and connect to the 

15 hacking group’s command and control servers to report details of the newly infected 

16 computer and to download additional malware. The additional malware will run 

17 automatically and will connect to additional servers used by the scheme to establish 

18 remote control of the infected computer. 

19 16. After gaining access to a victim’s computer, the hacking group will deploy 

20 a wide variety of malware tools to conduct surveill ance, control infected computers, and 

21 steal data. One of the hacking group’s primary goals is to target point-of-sale systems 

22 

23 

24 1 Phishing is a technique in which the perpetrators use email messages and/or fake 

I websites to trick people into providing information, such as network credentials (e.g., 

25 user names and passwords) that may later be used to gain access to the victim’s systems. 
25 Phishing often utilizes social engineering techniques similar to traditional con-artist 

techniques in order to trick victims into believing they are providing their inf ormation to 
27 a trusted vendor or other acquaintance. Phishing emails are also often used to trick a 
2 g victim into clicking on documents or links that contain malicious software that will 
|| compromise the victim’s computer system. 
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that process high volumes of payment card transactions. Once the hacking group locates 
a point-of-sale system, it will use malware to capture and steal payment card data. The 
stolen data will then be sold on various criminal underground forums or through private 
sales. 

17. The hacking group remains extremely active. The hacking group continues 
to launch extensive phishing attacks and steal point-of-sale information from businesses, 
such as fast food restaurants, that process a large volume of point-of-sale transactions. 
Additional phishing campaigns also indicate that the hacking group has expanded its 
reach, and is now attacking victims such as law firms and other service providers with 
access to customer lists or confidential financial information. 

The Hacking Group’s Use of a Virtual Work Environment 

18. The hacking group does not have a central office or work location. Instead, 
the hacking group uses a distributed work force that relies on a secure, virtual work 
environment to coordinate its illegal activity. This virtual work environment allows 
members in different cities and countries to remotely attack, access, and control victim 
computers in an organized fashion. This virtual work environment also allows the 
hacking group to tightly control who can access the work environment, thereby 
protecting the group’s illegal activity. 

19. One component of the virtual work environment is an elaborate network of 
servers located throughout the world that the hacking group uses as part of its command 
and control infrastructure. U.S. authorities have identified and examined a number of 
these command and control servers. This examination revealed that the servers are used 
to host control panels that allow the hacking group to remotely access and control 
compromised victim computers. Log data and intercepted communications demonstrated 
that members of the hacking group routinely access the control panels from their 
residences. 


20. Another component of the virtual work environment is a number of 


communication servers located throughout the world that the hacking group uses to 
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facilitate the malware scheme. U.S. authorities have identified and examined a number 
of these servers. This examination demonstrated that the servers provide the hacking 
group with both secure channels of communication and virtual platforms on which they 
coordinate their attacks against victim companies even though each member is working 
from a remote location. For example, in approximately August 2017, foreign law 
enforcement provided U.S. authorities with a forensic image of a physical server used by 
the hacking group (hereinafter, “Server-1”). Analysis of the image showed that Server-1 
contained numerous virtual communication servers, including a private Jabber server that 
permitted members of the hacking group to have encrypted communications about their 
illegal activity. Jabber is an instant messaging service that allows members to send 
encrypted communications through a public or private server. In order to have an 
account within a private Jabber server, an administrator of the server must create an 
account for the user. 

21. Examination of the hacking group’s Jabber communications has allowed 
U.S. authorities to identify many members of the hacking group and their roles in the 
illegal enterprise. Although members of the hacking group generally used aliases and 
concealed their true names from each other, members regularly provided identifying 
information in Jabber communications with certain high-level members of the group to 
receive payment for their participation in the scheme. This information included 
information such as true names, addresses, bank account information, and information to 
receive digital currency or money order transfers. 

22. Server-1 also contained virtual HipChat servers. FlipChat is a group chat, 
instant messaging, and file-sharing program. Examination of the HipChat servers 
showed that the hacking group used HipChat to coordinate their efforts to breach the 
network securities of victim companies, to share stolen data such as payment card 
information, and to interview and recruit new members. 

23. Through this investigation, which has included review of evidence obtained 
Torn foreign authorities, U.S. authorities obtained and examined a forensic image of 
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another physical server used by hacking group (hereinafter, “Server-2”) in approximately 
November 2017. Like Server-1, Server-2 contained numerous virtual communication 
servers used to facilitate the malware scheme, Both Server-1 and Server-2 contained 
virtual JIRA servers. JIRA is a project management and issue-tracking program 
commonly used by software development teams. JIRA allows team members to create 
‘projects” containing posted “issues” under which other team members can make 
comments and share data. This feature thereby facilitates collaboration between team 
nembers who may be working from different locations or during different hours. 

24. Examination of Server-1 and Server-2 revealed that members of the 
lacking group used the JIRA servers to collaborate on their efforts to breach and steal 
lata from victim companies. Often, hacking group members would create “issues” in 
IRA with names that referenced a particular victim. Under each JIRA “issue”, members 
vould track their progress breaching the victim’s security, upload data stolen from the 
ictim, and provide guidance to each other. The JIRA servers logged activity related to 
n “issue” and tracked a variety of information including the user who created the 
issue”, users who commented under or uploaded files under the “issue”, and users who 
therwise had access to the “issue”. This information has allowed investigators to link 
rembers to attacks against specific victims. 

25. The hacking group’s Jabber, HipChat, and JIRA communications confirm 
rat the group’s virtual work environment allowed the members of the group to work 
igether closely even though the members were working from computers at their 

isi derives or from their mobile devices. In numerous conversations, members of the 
acking group made reference to working at home or the need to go offline in order to 
m domestic errands such as going to the doctor’s office. Notably, members of the 
acking group were required to work late at night in order carry out malicious activity, 
ich as sending phishing emails, during the business hours of victim companies who 
'ere located several time zones away. 
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Examination of Devices Belonging to Members of the Hacking Group 

26. The U.S. authorities’ examination of devices belonging to individual 
members of the hacking group in di cates that members of the hacking group keep 
extensive evidence of their illegal activity on their personal computers and mobile 
devices, including data that is exchanged through the hacking group’s virtual work 
environment. For example, U.S. authorities examined a laptop seized by foreign 
authorities from the home of a member of the hacking group. The laptop contained many 
of the malware tools used by the hacking group in addition to credentials to remotely 
access the hacking group’s servers. One of the malware tools was used over 1,200 times 
over the course of a 16-month period. Forensic examination of communications on the 
laptop indicate that the owner of the laptop was largely working from home when he 
developed phishing emails, attempted to breach victim computer systems, and stole data 
from compromised computers. In addition, the laptop had numerous folders, each 
dedicated to a specific victim, which contained data stolen from that victim. This stolen 
data included addresses for internal victim servers,,login credentials (user name and 
password) for victim servers, tax information, customer order information, and other non¬ 
public information. Most notably, the laptop contained a variety of stolen fin ancial 
information, including stolen credentials that could be used to access a victim’s online 
bank accounts and over 4,000 unique payment card numbers. The laptop also contained 
extensive communications with dozens of members of the hacking group, including over 
80,000 Jabber messages. In certain of these communications, the user of the laptop 
requested money order transfers in return for work performed on behalf of the hacking 
group. 

27. Through this investigation, U.S. authorities also examined a laptop taken 
from a different member of the hacking group while he was on vacation in a foreign 
country. As with the first laptop, the second laptop contained extensive evidence of the 
malware scheme and information exchanged through the hacking group’s virtual 
workspace. For example, the second laptop contained malware tools, credentials to 
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access the hacking group’s servers, data stolen from victims, and over 4,000 payment 
card numbers. The laptop also contained over 85,000 Jabber communications with other 
members of the hacking group in which the owner of the laptop discussed his efforts to 
breach victims’ networks, shared stolen data, and requested payment in digital currency 
for his work. Notably, the Jabber communications indicate that the hacking group was 
using a wide-variety of digital currency services or exchanges including, but not limited 
to, Binance, Electrum, EXMO.com, and Monero. 

28. U.S. authorities have obtained evidence that members of the hacking group 
also use mobile devices to facilitate the malware scheme. In addition to private Jabber, 
HipChat, and JIRA servers, the hacking group uses a variety of other encrypted 
communication services such as Mumble, Telegram, Threema and Viber. U.S. 
authorities have gathered evidence that members of the hacking scheme access these 
communication services from their mobile devices. For example, pursuant to a mutual 
legal assistance request, U.S. authorities examined a mobile phone taken from one of the 
previously mentioned hacking group members while he was on vacation. The mobile 
phone contained communications with other members of the hacking group regarding the 
group’s illegal activity, including Telegram, Threema, and Viber communications. 

B. Denys Iarmak 

29. U.S. authorities have identified multiple members of the hacking group, 
including DENYS IARMAK, also known as Denys Olegovich Iarmak, Denis Jarmak, 
and Denys Olehovych Yarmak, a resident and citizen of Ukrainian. Since at least 2016, 
IARMAK, who used online aliases such as “gaktus,” “denis.jarmak”, and “gaktusOl” 
served as a hacker within the group and was involved in attacking multiple victim 
companies, including the successful hacks of several restaurant chains located in the 
United States. 

30. As with other members of the hacking group, IARMAK used the virtual 
work environment to collaborate and coordinate with other group members. For instance, 
on July 24, 2017, IARMAK used Jabber to exchange stolen victim information with 
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another group member, Fedir Hladyr, charged in this Distrct {United States v. Hladyr, 
CR17-276RSM). Furthermore, on March 3, 2017, IARMAK, using the alias “gaktus,” 
updated a JIRA issue he had created for a specific victim company and uploaded data he 
had stolen from that U.S. company. IARMAK had access to approximately 25 JIRA 
issues on Server-1 and 20 JIRA issues on Server-2. 

31. In a Jabber conversation between IARMAK and Hladyr on October 20, 
2017, Hladyr provided user credentials for a compromised U.S. business. On October 27, 
2017, IARMAK replied back to Hladyr with internal system information of compromised 
machines related to the U.S. business. Through this investigation, authorities have 
confirmed that this hacking group stole payment card data from that U.S. business. 

32. IARMAK frequently used the aliases “denis.jarmak” and “gaktus” when 
communicating with other members of the hacking group. For example, on December 
24, 2016, in a Jabber communication between Hladyr and IARMAK 
(denis.jarmak@jabber.ru), according to a machine translation, IARMAK told Hladyr to 
add him into a room and provided the name “GakTus.” 

33. Like other members of the group, IARMAK provided his true name in 
order to receive payment for his work in furtherance of the group. For example, in a 
December 26, 2016 Jabber chat with one of the leaders of the hacking group, IARMAK 
(denis.jarmak@jabber.ru) sent his PrivateBank account number to receive salary 
payments. Further, through the investigation, authorities further identified IARMAK 
through his email account. For instance, authorities identified and later obtained a search 
warrant for IARMAK’s personal email account (denis.jarmak@gmail.com), which was 
inked to the PGP public key IARMAK used to have encrypted communications with 
other group members in furtherance of the coordinated hacking activities. According to 
records obtained from Google, the subscriber for this email account is Denis Jarmak. 

This email account contained photos of IARMAK’s Ukrainian passports and other 
identification documents. According to this and other documentation, 

IARMAK is believed to 
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currently reside in Kyiv, Ukraine. The passport listed IARMAK’s date of birth as 
XX/XX/1989. The email account also contained a copy of IARMAK’s resume (which, 
according to a machine transliteration, was in the name Denys Olegovych Yarmak), with 
the same date of birth, and listed his father’s, mother’s, and sister’s names, which was 
corroborated through other sources. IARMAK’s resume listed work experience as a 
system administrator for multiple companies. The email account also contained a 
registration email for the aforementioned Jabber account (denis.jarmak@jabber.ru) and 
account creation and security alerts for one of IARMAK’s linked email accounts, 
gaktus01@gmail.com, among others. 

34. IARMAK also used the email account denis.jarmak@gmail.com in 
furtherance of the group’s scheme. For example, in early April 2017, IARMAK 
exchanged multiple messages with an Anti-Virus (AV) company related to activating an 
AV product. IARMAK also forwarded copies of these emails two other known members 
of the hacking group. Through the investigation, authorities have determined that one of 
the techniques used by the group is to check their various malware against AV products 
disconnected from Internet. This technique allows the group to determine whether the 
malware is being detected by the AV product as malicious without providing a copy of 
the malware to the AV companies. 

35. In a translated Jabber communication on April 28, 2017, between 
IARMAK and Dmytro Fedorov, another known group member charged in this District 
{United States v. Fedorov, CR18-004RSM), IARMAK explained to Fedorov how to 
create the malware payload for a phishing document and referenced going into the 
machine with AV. IARMAK noted that a particular payload was detected by two AV 
companies, which meant that it was “burned somewhere.” When Fedorov noted another 
tool used by the group that was tested against AV, IARMAK sought details on whether 
the testing was done with the interface to the Internet turned off. This conversation was 
consistent with the known methodology of the hacking group. 
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36. In that same conversation, IARMAK also discussed phishing emails and 
specifically advised that he usually replaced the default picture of the embedded file 
which deploys malware if double clicked with some other image specific to the targeted 
company. As noted above, the investigation and security community reporting have 
observed that the phishing messages sent by this hacking group usually seek to 
manipulate targeted victims into double clicking on an image in the message attachment 
to activate malware and compromise machines on the victim network. 


37. IARMAK also was implicated by other members of the hacking group. In 
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III. CONCLUSION 

38. Based on the above facts, I respectfully submit that there is probable cause 
to believe that DENYS IARMAK did knowingly and intentionally committed the 
offenses of Conspiracy to Commit Computer Fraud and Abuse, in violation of Title 18, 
United States Code, Section 371, and Access Device Fraud, in violation of Title 18, 
United States Code, Sections 1029(a)(3), 1029(b)(1), 1029(c)(1)(A), and 2. 


rJ~- -•»* - 


Briana L. Neumiller, Complainant 
Special Agent, Federal Bureau of 
Investigations 


Based on the Complaint and Affidavit sworn to before me, and subscribed in my 
presence, the Court hereby finds that there is probable cause to believe the Defendant 
committed the offenses set forth in the Complaint. 

Dated this day of November, 2019. 



United States Magistrate Judge 
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Chief Judge Ricardo S. Martinez 


UNITED STATES DISTRICT COURT FOR THE 
WESTERN DISTRICT OF WASHINGTON 
AT SEATTLE 


UNITED STATES OF AMERICA, 

Plaintiff 

v. 

DENYS IARMAK, 

Defendant. 

This matter, having come before the Court on a Stipulated Motion to Redact 
Complaint, the Court hereby enters the following order: 

IT IS HEREBY ORDERED that the complaint in this matter shall remain SEALED 
until further order of the Court. 

IT IS FURTHER ORDERED that the Clerk of the Court shall lodge the reacted 
version of the Complaint, attached as Exhibit 1 to the parties’ stipulated motion, in lieu of the 
original document when the dockets for the above-captioned cases are unsealed. 

// 


NO. CR19-257RSM 
MJ19-564 

[PROPOSED] SEALING ORDER 


SEALING ORDER 

United States v. Iannak, CR19-257-RSM/MJ19-564 - 1 
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SO ORDERED. 

DATED this_day of May, 2020. 


RICARDO S. MARTINEZ 
United States District Judge 


Presented by: 


s/ Francis Frame-Nakamura _ 

FRANCIS FRANZE-NAKAMURA 

STEVEN MASADA 

Assistant United States Attorneys 

ANTHONY TEELUCKSINGH 
Trial Attorney 

Computer Crime and Intellectual Property Section 
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